681e4c359b4b60dc171f5b494efc041e7ee6dd63217f7f91e576a8c5ed7bb779

Analysis

max time kernel
113s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df256e198f411951c578cf19ef02bb70N.exe
Size

32KB
MD5

df256e198f411951c578cf19ef02bb70
SHA1

4338464d3c17d20588612deed26ee79028c59ad2
SHA256

681e4c359b4b60dc171f5b494efc041e7ee6dd63217f7f91e576a8c5ed7bb779
SHA512

bf89fb24b745299c04ccfa649a25f67d1c01fda75d38d4079b578d1503664661b7a39dc6b22f25e91c222f06d979194747a676ea7d3f2b79c6fe7990046ca78a
SSDEEP

768:kBT37CPKKdJJcbQbf1Oti1JGBQOOiQJhATNydWK9WKF9ADJ59ADJsmrH:CTW7JJZENTNyoKIKMmrH

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (369) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2244-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x0004000000017801-2.dat	upx
behavioral1/files/0x0002000000010463-6.dat	upx
behavioral1/memory/2244-26-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mip.exe.mui.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\DVD Maker\offset.ax.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipRes.dll.mui.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeulm.dat.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IPSEventLogMsg.dll.mui.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_ButtonGraphic.png.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tipresx.dll.mui.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Common Files\System\ado\msado25.tlb.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Common Files\System\msadc\msadcor.dll.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ms.pak.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Google\Chrome\Application\master_preferences.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\7-Zip\Lang\sv.txt.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\play-static.png.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-shadow.png.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ca.pak.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Internet Explorer\Timeline_is.dll.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\tipresx.dll.mui.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Csi.dll.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_SelectionSubpicture.png.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_SelectionSubpicture.png.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\rtscom.dll.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\optimization_guide_internal.dll.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\7-Zip\Lang\pt.txt.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Common Files\System\ado\msador15.dll.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Internet Explorer\networkinspection.dll.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png.tmp	df256e198f411951c578cf19ef02bb70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_plain_Thumbnail.bmp.tmp	df256e198f411951c578cf19ef02bb70N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df256e198f411951c578cf19ef02bb70N.exe

C:\Users\Admin\AppData\Local\Temp\df256e198f411951c578cf19ef02bb70N.exe
"C:\Users\Admin\AppData\Local\Temp\df256e198f411951c578cf19ef02bb70N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini.tmp

Filesize
32KB

MD5
6ecfa9c3233fbb6b75e0564803b4ebd9

SHA1
1188416475197c18bb2b9c6f6e766eeb78d0d6b4

SHA256
a6176687c48a075000c8cadda225d08332c4c83a15e3a35cd83e3b63be9ac553

SHA512
836cec8a01c32ca9cbee7d3dec36d1e34a29623ef229a7a46c813d96eb56be829946db1c55b1b0d9f0daf630637881e9e5ebbcb592766e7fb39acfccef2a1ad1

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
41KB

MD5
3ee9d24ebe58705bf3cf62a3bffbdb38

SHA1
1d576d473739d944b7a483cfe2dc4a028a0cc249

SHA256
b7f394733ec5f1d594c2abc4469f0cc281c824d5ce8b8ff4bd62dd0e1f16145c

SHA512
1f16a9b7dc3b87d6b6efbe586ebabd7db48431089c3d7b80ba80fd42ac42eededccaa928df78ae647cd0bd1912b831b425d4cc09004cc08a874e1d38671d9d04

Download Submit
memory/2244-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2244-26-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download